In the past few years, no IT regulation has dealt with companies and society as profoundly as the EU GDPR. Whether a group, association or start-up – every organization has had to do this since May 25, 2018 Personal data protection rules implement. At least one goal was thereby achieved: The EU GDPR placed the topic of data protection high on the agenda of all those who store or process personal data. In addition, the number of real hacker attacks can be determined for the first time. Because violations of personal data that could harm data subjects must be reported to the authorities in accordance with the General Data Protection Regulation. This information is an important aid in the fight against cyber crime.
EU GDPR: Mammoth project data documentation
At the same time, many companies find it difficult to implement the regulations. According to a survey by Bitkom in September 2019, only one in four companies had implemented all requirements more than a year after the EU GDPR came into force. Above all, the obligation to document which data a company collects, for what purpose it uses it and how it processes it is a mammoth project. Implementation is easier for companies that already have a directory of Data processing methods have led. However, once you have cleared the hurdle, the documentation offers a comprehensive overview of your data and a valuable basis for future work. So the effort is worth it.
Bureaucratic hurdle for small companies
But it is also correct that the EU GDPR represents a bureaucratic hurdle, especially for small organizations, which is not always appropriate to the goal. The Federal Government has also recognized this and is making things easier. The obligation to appoint a company data protection officer has already been relaxed: It now only applies to companies with at least 20 employees, and not as before with ten employees.
EU GDPR: legal uncertainty versus pragmatism
According to a Bitkom survey, the uncertainty in the interpretation of the requirements is another major hurdle in their implementation. The EU GDPR, for example, remains unclear regarding the obligation to give consent for the setting of cookies. In the meantime, a CJEU judgment has clarified. Tracking cookies may only be set with the express consent of the user. Particularly strict interpretations of the EU GDPR, which included the use of doorbell signs, business cards and class photos, also caused uncertainty. The uncertainty now seems to have given way to healthy pragmatism: business cards go from hand to hand as always and a name tag still hangs over most bells.
The fact that the large wave of warnings has so far failed to contribute to a more relaxed attitude. According to DLA Piper, the EU states have imposed fines of 114 million euros since the GDPR came into effect until January 17, 2020. Compared to the possible Maximum fines of up to 20 million euros or four percent of the annual turnover per company that can be imposed under the EU GDPR, this seems relatively low. Nevertheless, sanctions were pronounced and important signals were given.
The real estate group Deutsche Wohnen was awarded the highest fine so far in Germany in 2019. It amounted to 14.5 million euros. In second place at the end of 2019 was a fine of 9.6 million euros against the telecommunications group 1 & 1 Drillisch. The company had not protected itself sufficiently to prevent third parties from accessing personal customer data.
General data protection regulation Gaps in the existing system
Fines could increase significantly in the coming years. The Federal Commissioner for Data Protection and Freedom of Information Ulrich Kelber has announced a stricter approach to violating the requirements. His main target is larger corporations. However, medium and small companies should continue to take data protection seriously. Also because a responsible handling of the data of customers and employees strengthens the image and promotes competitiveness.
However, the EU GDPR lacks some important rules for the protection of personal data. For example, there are hardly any explicit requirements for online trading. Here, the e-Privacy Regulation (ePVO) will soon provide clarity. It will regulate the protection of personal data when using digital communication across Europe. Originally, the ePVO should come into force together with the EU GDPR. Since the member states could not yet agree on a common line, there were delays. Now the ePVO is expected to be published in 2020. It is not yet publicly known what the regulation should look like.
EU GDPR: Manufacturers undermine data protection
Critics see another gap in the EU GDPR in the fact that manufacturers have not been obliged to develop products that promote data protection. Privacy by design – i.e. taking data protection into account when producing a device – is an important building block for the safe handling of data. Some companies have already started that Barrier between DevOps and IT security to tear down and to establish new methods in the sense of "DevSecOps". Legislators must support this development so that data protection-compliant products are available on the market.
The same applies to storing data in the cloud. The dominant cloud providers are located abroad. It is not uncommon for the EU GDPR to be undermined by the regulations that apply there. For example, the "Clarifying Lawful Overseas Use of Data Act" obliges American cloud providers to grant the US authorities access to data that is not stored in the United States – and thus undermines the EU GDPR. This also threatens the competitiveness of German companies because the necessary technical precautions also increase the risk that cybercriminals and third countries have access to the company's technical know-how.
New IT security technologies
Foreign cloud providers are increasingly offering their customers the option of storing their data in Germany. In this way they want to comply with European law. However, this does not really solve the problem: the cloud providers themselves can still access the data and, due to legal requirements in their countries of origin, are obliged to grant access to third parties.
In order to really meet the EU GDPR, new technologies for IT security are required instead, which are provided by providers who are fully subject to European jurisdiction. It should also be a data-centric approach are selected, in which all data is encrypted, the customer can decide where his data is stored and the keys are only in the customer's possession. Attempts by third parties to access the data have no chance of success.
And finally there is the question of how it works with the Europe-wide harmonization of data protection. In principle, the EU GDPR applies in all member states and has priority over application national regulations. Numerous so-called "opening clauses" give the legislators of the member states the opportunity to substantiate and supplement the EU GDPR through their own legislation. When dealing with employee data, the EU GDPR, for example, provides that more specific regulations can be enacted. This means an additional challenge for companies with European locations.
EU GDPR – on the way to more data protection
The EU GDPR is a milestone on the way to more protection of personal data. After two years it becomes clear that a lot has already been achieved and implementation is ongoing. But the regulation is just the beginning. Further requirements are necessary in order to achieve full digital sovereignty. The EU GDPR sets the basic direction for this – companies, society and politics must now consistently continue on this path. (sg)
About the author: Dr. Falk Herrmann is CEO of Rohde & Schwarz cybersecurity. The IT security provider protects digital information and business processes of companies and public institutions worldwide from cyber attacks. Rohde & Schwarz Cybersecurity offers innovative data security solutions for cloud environments, enhanced security for websites, web applications and web services as well as network encryption, desktop and mobile security.